{ "id": "76743520-9bf3-4487-acc8-a0ebdcc87a41", "created_at": "2026-04-06T00:17:32.829162Z", "updated_at": "2026-04-10T13:12:13.804994Z", "deleted_at": null, "sha1_hash": "6210a8284c194a3a4aca173956c208ebb91be007", "title": "Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 364598, "plain_text": "Responses to Russia's Invasion of Ukraine Likely to Spur\r\nRetaliation | Mandiant\r\nBy Mandiant\r\nPublished: 2022-03-04 · Archived: 2026-04-05 20:01:37 UTC\r\nWritten by: James Sadowski, Ryan Hall\r\nExecutive Summary\r\nMandiant Threat Intelligence assesses with moderate confidence that Russia will conduct additional\r\ndestructive or disruptive cyber attacks connected to the crisis in Ukraine. Russian cyber attacks almost\r\ncertainly will focus first on Ukraine, with Western/NATO allies also being possible targets.\r\nOrganizations making statements condemning Russian aggression and/or supporting Ukraine and\r\norganizations taking actions to restrict Russian participation in international commerce, competitions, and\r\nevents face elevated risk of future reprisal.\r\nWe assess that Sandworm and UNC2589 are two of the most likely actors to conduct cyber attacks in\r\nretaliation, although we judge that all high-profile Russian threat actors will continue or increase cyber\r\nespionage to enhance decision advantage against Ukrainian and NATO government targets.\r\nRetaliatory Cyber Attacks Likely\r\nRussia invaded Ukraine again on February 24, 2022, triggering international condemnation of their actions and a\r\nseries of responses from U.S., NATO, and European Union (EU) allies, including widespread sanctions from\r\nWestern governments on Russian banks and elites connected to the Putin regime. Mandiant observed multiple\r\ndisruptive and destructive cyber attacks targeting Ukrainian government and private sectors, including the\r\nNEARMISS (aka HermeticWiper or FoxBlade) wiper attack on February 23, 2022, and the PAYWIPE (aka\r\nWhisperGate) wiper attack on January 15, 2022.\r\nWe anticipate that Russia could conduct retaliatory actions, including additional destructive or disruptive cyber\r\nattacks, particularly against the government, financial services, and energy and utilities sectors. The nature and\r\nlength of NATO and Western sanctions and responses likely will heavily influence Russia's perception of high-priority targets for retaliation. Organizations making public statements condemning Russian aggression\r\nand/or supporting Ukraine and organizations taking actions to restrict Russian participation in\r\ninternational commerce, competitions, and events face elevated risk of future reprisal.\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 1 of 8\n\nFigure 1: Sectors facing elevated risk from Russian cyber operations\r\nFor mitigation and hardening recommendations, please review our:\r\nProactive Preparation and Hardening to Protect Against Destructive Attacks white paper\r\nDistributed Denial of Service (DDoS) Protection Recommendations white paper\r\nRussian Decision Doctrine\r\nRussian doctrine broadly follows a concept best described as \"controlled escalation” or “escalation\r\nmanagement/dominance,\" in which Russian forces gradually increase pressure, either through kinetic or non-kinetic methods, while gauging the adversarial reaction to each step until the adversary is willing to agree to\r\nfavorable terms for Russia. In theory, Russia then is able to continue to escalate its operations only as far as\r\nnecessary to achieve its desired outcome, relying on adversarial forces to back down first. This doctrine has\r\nsometimes been less accurately described as “escalate to de-escalate,\" suggesting that Russia will act in a\r\nsignificantly escalatory manner in order to achieve its goal, beyond the threshold an adversary would be willing to\r\ncross, in an attempt to prevent adversarial escalation or response.\r\nRussian Information Warfare Doctrine\r\nRussian doctrine also views information warfare as a wide-ranging concept crucial to any armed and/or diplomatic\r\nconflict. Russian information warfare combines cyber operations, electronic warfare, psychological operations,\r\nand information operations, with the ultimate goal of controlling the \"information sphere\"—a vital component of\r\nRussian strategy. In addition to using destructive and disruptive cyber attacks in advance of kinetic ones (such as\r\nthose seen with PAYWIPE and NEARMISS), Russian doctrine calls for sustained information warfare throughout\r\nthe conflict, both as a supplement to military action and as a component of the aforementioned controlled\r\nescalation.\r\nRussia Likely to Respond to Western Sanctions\r\nAs one tool in its response, we assess that Russia will almost certainly engage its offensive cyber programs to at\r\nleast increase cyber espionage against primarily government targets to enhance decision advantage, and likely also\r\nconduct additional destructive or disruptive cyber attacks.\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 2 of 8\n\nRussia will likely task at least APT28 and Sandworm to engage Ukraine in multiple ways, such as\r\ninformation operations, intelligence collection, and additional disruptive or destructive cyber attacks to\r\ndegrade Ukraine's capabilities and supplement kinetic action.\r\nOther Russian state sponsored cyber espionage groups will—at a minimum—continue espionage activities\r\nagainst Ukraine and NATO-aligned nations. It is possible that Russian state sponsored operators will need\r\nto shift resources to focus on Ukraine and NATO-aligned nations during this conflict.\r\nCurrently, we assess that APT29 does not have a destructive mandate, whereas at least Sandworm and\r\nTEMP.Isotope likely do. Although we have no evidence of this happening in any previous operations, it is\r\npossible, however, that even actors without a destructive mandate could be ordered to turn over their\r\naccesses to groups with a destructive mandate in a time of war.\r\nLikely Threat Actors\r\nSandworm\r\nSandworm likely poses the greatest threat for destructive and disruptive attacks based on the group's historical\r\ntargeting of and destructive operations against Ukraine, which included the use of BLACKENERGYv2,\r\nBLACKENERGYv3, and INDUSTROYER as well as the NotPetya fake ransomware. Now that Russia has\r\ninvaded Ukraine, Sandworm, or another entity sponsored by the Russian General Staff Main Intelligence\r\nDirectorate’s (GRU) Main Center for Special Technologies (GTsST), almost certainly is involved.\r\nRecently, the U.S. and UK governments attributed a sophisticated supply chain operation to Sandworm,\r\nalthough Sandworm had not used this network for destructive activity. Sandworm's disruptive operations\r\nhave historically shown disregard or ignorance of potential secondary and tertiary affects. This, for\r\nexample, led to NotPetya spreading well beyond Ukraine and causing billions of dollars of damage\r\nworldwide.\r\nUNC2589\r\nUNC2589 is a cyber espionage cluster active since at least early 2021 that has employed a consistent set of tactics,\r\ntechniques, and procedures (TTPs). Its focus has been primarily in Ukraine and Georgia, but spearphishes have\r\nalso been detected targeting Western European and North American foreign ministries, pharmaceutical companies,\r\nand financial sector entities. We assess UNC2589 also has a destructive mandate, based on UNC2589’s possession\r\nof the WARYLOOK (aka WhiteBlackCrypt) file corruptor.\r\nUNC2589 has used a variety of publicly available and what appear to be proprietary malware. This group likely is\r\nat least partially a government-sponsored entity that we have observed conducting cyber espionage, but we have\r\nalso observed UNC2589 using tools associated with criminal activity. In mid-January 2022, a disruptive attack\r\nwiped multiple Ukrainian government computers and defaced Ukrainian government websites. Malware used to\r\nlaunch the corruption tool has been used by UNC2589. The overlaps in malware and targeting means it is\r\nplausible that UNC2589 conducted these attacks, although we have not attributed that activity to UNC2589 at this\r\ntime.\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 3 of 8\n\nThe Ukrainian Government assesses this cluster is responsible for destructive activity undertaken against it,\r\nand they track this cluster as UAC0056.\r\nWe identified UNC2589 infrastructure that hosted the WARYLOOK file corruptor in June 2021, which\r\nalso indicates this actor has a destructive mandate. WARYLOOK (aka WhiteBlackCrypt) is a fake\r\nransomware that has code overlap with SHADYLOOK (aka WhisperKill), the file corruptor used in the\r\nJanuary 15 destructive attack on Ukrainian networks. SHADYLOOK was not fake ransomware but was\r\ndeployed with PAYWIPE (aka WhisperGate), which was posing as ransomware.\r\nThe attack on January 15 involved the use of GOOSECHASE (a subcomponent of WhisperGate) and\r\nFINETIDE (aka WhisperPack), both tools which we have observed UNC2589 also deploy. However, both\r\nGOOSECHASE and FINETIDE appear to have been used by multiple actors.\r\nUNC3715\r\nWe currently track the actor responsible for the February 23 NEARMISS (aka HermeticWiper) wiper attack as\r\nUNC3715. Although we have not yet connected this group to other named actors that we track, this group may\r\ncarry a broad destructive mandate as well, based on its deployment of NEARMISS. NEARMISS was notably\r\nmore sophisticated and capable than PAYWIPE, which could indicate this group has more resources available to it\r\nor is a component of another actor we track.\r\nTEMP.Isotope\r\nMandiant assesses that TEMP.Isotope also has a destructive mandate, although we have not observed this group\r\nuse a tool capable of destruction. However, this group’s choice of targets and data collection indicates an intent to\r\nconduct disruptive or destructive activities in the event they are tasked to do so. They have historically targeted\r\nprimarily western Europe and North America, with a focus on energy, local governments, and transportation, but\r\nalso have targeted water and other critical infrastructure facilities.\r\nCriminal Actors\r\nThe Russian intelligence services almost certainly have the ability to coopt criminals residing within Russia in\r\norder to achieve their desired ends, although we assess the Kremlin primarily overlooks criminal operations as\r\nlong as they refrain from targeting Russian domestic entities. In addition to financially motivated groups,\r\nhacktivist groups have also been conducting cyber operations in support of both Russia and Ukraine.\r\nWe consider it plausible that Russia could seek to use criminal actors against NATO nations as a means of\r\nreprisal. Criminal actors that reside in Russia often target entities within NATO nations and we surmise that\r\nRussia could task them to conduct destructive or disruptive operations against financial entities, relying\r\nheavily on ransomware or wipers as the method of disruption. However, it is similarly possible they could\r\nuse other disruptive or destructive methods.\r\nThe CONTI ransomware group announced at the end of February that it would offer its \"full support of\r\nRussian government\" against the West, supposedly to help counteract Western aggression against Russia.\r\nConti has reportedly also conducted targeting of journalists on behalf of the FSB.\r\nSandworm has historically used customized or generic versions of criminal tools and techniques in their\r\noperations, including their well-known employment of a modified BlackEnergy variant to disrupt the Ukrainian\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 4 of 8\n\npower grid in 2015. In June 2017, Sandworm unleashed on Ukraine NotPetya, which was a destructive tool built\r\noff and masquerading as the Petya ransomware. The campaign appeared designed to closely mimic a financially\r\nmotivated operation, likely in an attempt to obfuscate its true purpose serving Russian strategic interests in\r\nUkraine. Both BlackEnergy and Petya source code had been leaked or was publicly accessible before Sandworm\r\ndeployed their modified variants, although we cannot rule out that Sandworm might have engaged with the\r\nmalware developers.\r\nRussian Disruptive or Destructive Operations Against Financial Sector\r\nMandiant anticipates that Russian action against the financial sector outside of the conflict zone will include cyber\r\nespionage to gather information about implementation of Western and international sanctions. We expect that\r\nRussian cyber threat actors will continue to conduct disruptive operations and spread disinformation regarding the\r\nUkrainian financial sector during the conflict. This activity may spill over to neighboring countries—like\r\nNotPetya did in 2017, resulting in billions of dollars in damage worldwide—or banking networks closely\r\nconnected to Ukraine's, and in extreme cases, Russia could choose to conduct disruptive or destructive activity\r\nagainst financial sector organizations outside of Ukraine.\r\nWe assess that a destructive mandate has likely been assigned to at least Sandworm, TEMP.Isotope, and possibly\r\nUNC2589. We judge that although APT29 likely has the technical proficiency to create their own disruptive\r\nmalware or the potential to purchase this malware from contract development teams such as those included in the\r\nSolarWinds sanctions, they likely do not have a disruptive or destructive mandate as they have not been observed\r\nconducting these operations or targeting critical infrastructure in preparation for disruptive or destructive activity.\r\nHistorically, Russia-sponsored targeting of financial entities has been relatively limited, though Mandiant has\r\nobserved likely Russian malware called QUIETCANARY at a European financial entity in the last six months.\r\nHowever, some older activity and significant recent Russian-sponsored disinformation and disruptive operations\r\ntargeted Ukrainian financial institutions, likely in an attempt to reduce the Ukrainian public's trust in its financial\r\nsystem.\r\nIf NATO elects to remove additional Russian entities from SWIFT or sanctions Russian entities that cross a\r\nRussian-perceived red line, Russia will likely respond, and could take action against NATO-aligned financial\r\nentities in a tit-for-tat response.\r\nEnergy Sector Also Likely Under Threat\r\nWe currently judge that if the NATO/Western response to Russia's invasion of Ukraine was perceived by Russian\r\nleadership as escalatory, Russia will likely seek to escalate in a manner that it deems proportional, without\r\ndrawing NATO further into conflict.\r\nThe decision to sanction Russian financial institutions as well as the cancellation of Nord Stream 2 is likely\r\nto lead to a Russian response. Russia likely has multiple options they could utilize as a part of their\r\ndecision calculus, which could include energy cost hikes, destructive cyber operations, or other economic\r\nmeasures designed to hurt Europe more than Russia.\r\nPossible Russian Responses\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 5 of 8\n\nWe judge there are two linked, viable measures Russia may choose to impose cost on NATO-affiliated countries\r\nthat would be less likely to draw NATO further info conflict: directly raising the cost of Russian gas supplies to\r\nEurope and disruptive or destructive cyber operations against non-Russian organizations that supply gas to\r\nEurope.\r\nDue to Europe's reliance on Russian energy supplies, raising the cost of gas as a part of an incremental\r\nescalatory measure likely would cause NATO nations and their citizens distress, without offering NATO\r\nsufficient justification to draw them into the war. Higher gas prices concurrently could cause backlash\r\nagainst the elected government officials of NATO nations, potentially damaging their reputation and\r\nreducing their political leverage both abroad and at home.\r\nRussian cyber attacks on energy-related facilities outside of NATO nations—which would likely include\r\nMiddle Eastern entities—could reduce the likelihood of a NATO response while simultaneously reducing\r\nNATO's leverage to respond to increased prices.\r\nFor example, Russian natural gas currently accounts for 40% of all of Europe's gas supplies. If\r\nRussia judges that raising prices is not an appropriate escalatory measure, Russia could undertake\r\ncyber attack operations against non-European suppliers as a means to raise gas prices and disrupt\r\nsupply chains.\r\nThese two options could limit the likelihood of disruptive or destructive cyber attacks against NATO energy\r\nentities, as such operations are more likely to cause a significant escalatory response from NATO and the U.S.\r\nHowever, it increases the possibility that Russia could seek to conduct operations outside of NATO's purview.\r\nMedia and Entertainment Industry a Possible Target\r\nRussia's ban from the Eurovision song contest, or the multiple sports organizations' decisions to cancel sporting\r\nevents with Russian teams or move competitions to new locations that were formerly scheduled to take place in\r\nRussia, could also spur Russian retaliatory action against the media and entertainment sector. Russia has\r\nhistorically placed a premium on its competition in high-profile international sports and entertainment events and\r\nhas previously used cyber operations to retaliate for perceived grievances.\r\nAs noted, Russian information warfare doctrine calls for control of the information sphere and, as a result,\r\nUkrainian media organizations will likely also be targeted in both physical and cyber space to help disseminate\r\nfabricated pro-Russia content, such as allegations of the surrender of Ukrainian government or military forces, as\r\nwell as to interrupt Ukrainian command and control and pro-Ukraine messaging.\r\nIf Russian state media channels continue to be blocked widely, Russia likely will respond with symmetric\r\naction to close Western news sites in Russia. It is possible that Russia may take further action in cyberspace\r\nif they feel Western outlets can still successfully reach Russian audiences.\r\nNotably, some of this type of activity likely will not be immediate; Russian cyber threat operators may begin\r\nplanning and establishing access to targeted environments, but any public-facing leaks, disruptions, or influence\r\ncampaigns are more likely to coincide with future sport or entertainment events to maximize the impact of the\r\nactivity.\r\nOlympic Athlete Doping Scandal\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 6 of 8\n\nAfter the International Olympic Committee (IOC)-confirmed allegations of a widespread Russian state-sponsored\r\ndoping program, many Russian athletes were banned from the 2016 Summer Games, initiating a series of \"hack-and-leak\" and information operations that Russia almost certainly intended as retaliation.\r\nMost notably under the guise of the \"Fancy Bears' Hack Team,\" APT28 began a hack-and-leak campaign\r\ntargeting the World Anti-Doping Agency (WADA) through major social media platforms and purpose-made websites. WADA had sponsored the original inquiry into Russian doping violations, which led to the\r\n2016 ban. APT28 compromised WADA and other Olympic or sporting organizations networks during\r\nmultiple operations from at least 2016–2018. In one instance, the Russian cutouts leaked the data of\r\nWestern athletes who had been approved for medical exemptions for certain drug prescriptions, likely to\r\nportray these athletes as no better than the banned Russian athletes.\r\nRussia was subsequently fully banned from the 2018 Winter Games, with a small number of Russian athletes\r\nallowed to compete under a neutral flag.\r\nIn February 2018, Sandworm likely conducted the cyber attack on the Opening Ceremony at the Winter\r\nOlympics in Pyeongchang, South Korea. This attack was likely again in retribution for Russia's ban from\r\nthe Games.\r\nTransportation and Logistics Sector Also Faces Elevated Risk, Particularly\r\nAviation\r\nMultiple global transportation sector organizations have begun to withdraw services and support to Russian\r\norganizations and this drawback could spur Russian retaliation both in an effort to punish the organizations\r\nresponsible as well as attempt to stop more organizations from isolating Russia further.\r\nTransportation and logistics giants like FedEx, UPS, and Maersk announced they would stop servicing\r\nRussian clients, cutting off major sources of global shipping and delivering to and from Russia.\r\nAviation organizations may face particularly elevated risk, given the extensive impact these actions will\r\nhave on both domestic and international Russian travel. Global reservations provider Sabre will no longer\r\nserve Russian carriers and both Boeing and Airbus announced they would cease providing support to\r\nRussian clients.\r\nConcurrently, destructive operations undertaken by Russian threat actors against other sectors may have\r\nsecondary and tertiary effects against entities within the transportation sector similar to when NotPetya\r\ndisrupted Maersk in 2017.\r\nRussia likely lacks other forms of leverage against these organizations, so disruptive cyber operations are likely if\r\nRussia selects to retaliate against organizations in this sector. Russia has previously targeted the aviation industry,\r\nincluding a Russian cyber attack on Boryspil airport outside Kyiv and a compromise of a U.S.-based airport’s\r\nsystems.\r\nOutlook and Implications\r\nRussia will almost certainly continue to use cyber operations for a variety of reasons to include espionage,\r\ninformation operations, and disruptive or destructive measures. In the event a disruptive or destructive action is\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 7 of 8\n\nselected, Russia is likely to task actors including Sandworm, UNC2589, UNC3715, and possibly TEMP.Isotope.\r\nGovernment, financial sector, energy and utility, and transportation and logistics organizations face elevated risk.\r\nSandworm and UNC2589 are likely the most significant threats to NATO-aligned entities in the event Russia\r\nseeks retribution for perceived NATO escalation beyond Russian red lines, such as more Russian banks' removal\r\nfrom SWIFT, or continued lethal aid NATO partners are sharing with Ukrainian forces. Russia could also task\r\ncriminal groups to conduct destructive or disruptive operations thereby muddying attribution while still\r\nresponding to perceived NATO escalation.\r\nCurrently, it is difficult to predict how Russia's invasion of Ukraine might unfold and the consequences NATO\r\nwill continue to seek to impose on Russia. However, sanctions like those against Russia's largest bank, Sberbank,\r\nand the potential for Russia's full removal from SWIFT may be red lines that will cause Russia to lash out at\r\nNATO-aligned organizations.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nhttps://www.mandiant.com/resources/russia-invasion-ukraine-retaliation\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" ], "report_names": [ "russia-invasion-ukraine-retaliation" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6210a8284c194a3a4aca173956c208ebb91be007.pdf", "text": "https://archive.orkl.eu/6210a8284c194a3a4aca173956c208ebb91be007.txt", "img": "https://archive.orkl.eu/6210a8284c194a3a4aca173956c208ebb91be007.jpg" } }